OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of requird »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - requird

Pages: [1]
1
General Discussion / Re: Only one physical LAN port works at any given moment
« on: June 18, 2023, 05:27:49 am »
Maybe a hardware issue?

Do you have any switches in your network? Is there a possibility of a loop?

2
General Discussion / Re: Only one physical LAN port works at any given moment
« on: June 17, 2023, 03:33:28 am »
Sorry, I should be more clear.

LAN1 will be assigned the IP address 192.168.1.1.
LAN2 will be 192.168.2.1
LAN3 will be 192.168.3.1

Under Services -> DHCPv4
Set the subnet and mask to 192.168.1.0 and 255.255.255.0

Then configure the DHCP range.

This is like a basic configuration. Is this something like how yours is setup?

3
General Discussion / Re: Only one physical LAN port works at any given moment
« on: June 17, 2023, 03:23:12 am »
I'm using one of those machines. I like it.

I don't know what the problem is, but I just want to make sure you did some things first.

I have LAN1, LAN2, LAN3, and WAN assigned in the interfaces.
Each LAN has a different network range. For example:
LAN1 192.168.1.0/24
LAN2 192.168.2.0/24
LAN3 192.168.3.0/24

Then, DHCP each LAN.

Is this similar to your setup?

4
General Discussion / [Solved] Re: HAproxy Client Certificate Auth not working as expected
« on: June 16, 2023, 09:20:40 pm »
Finally got it working.

In the Public Service, under Client Certificate Auth, I have it Enabled.
Verification: required
Certificate Authorities: I choose my intermediate CA in OPNsense
Certificate Revocation Lists: Nothing selected (Leave blank)

Just by changing the Revocation list to Nothing, it works!

I don't know what is going on since I don't have any revoked certs in the CRL.
But I did notice that in OPNsense System -> Trust -> Revocation that particular CRL says No under In Use.

5
General Discussion / Re: HAproxy Client Certificate Auth not working as expected
« on: June 15, 2023, 06:51:27 am »
Just an update. I think I found the issue, but there's another problem.

When I go to Services: HAProxy: Maintenance: SSL Certificates tab, I don't see any certs there. The table is empty and it says, No Results Found! I've stopped and started the HAproxy service from the dashboard, restarted it, and I've rebooted OPNsense. I can't seem to get the certs loaded on this page. I've enabled the Cron job to sync SSL certs and nothing happened after the scheduled time.

Also, the two buttons for:
Show diff: Show difference between configured SSL certificates and SSL certificates from the running HAProxy service.
Apply changes: Apply all changes by syncing all shown SSL certificates into running HAProxy service.

When I click them, nothing happens.

6
General Discussion / [Solved] HAproxy Client Certificate Auth not working as expected
« on: June 13, 2023, 06:50:01 am »
Been stuck for a few days and hope the forums will help!

I'm running HAproxy. When I don't enable the Client Certificate Auth on the HAproxy Public Service, everything works well. When I enable it, I get ERR_BAD_SSL_CLIENT_AUTH_CERT even though I have a valid client cert installed.

My setup:
I've created a root CA, intermediate CA, and a couple client certs (signed with the intermediate) on OPNsense.
I have a basic nginx vm running with a cert signed with my intermediate. I have installed the intermediate cert and a client cert on my Android phone.

When I try and connect with Chrome, I get asked to select a client cert, then it gives me the error message. It's like HAproxy doesn't check the CAs I selected. (please see attached pic.)

Here is what part of my HAproxy config file looks like:
Code: [Select]
# Frontend: homeproxy_frontend (homeproxy_frontend)
frontend homeproxy_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl ca-file /tmp/haproxy/ssl/6487e7ccd48e14.01589139.calist verify required crl-file /tmp/haproxy/ssl/6487e7ccd48e14.01589139.crllist crt-list /tmp/haproxy/ssl/6487e7ccd48e14.01589139.certlist
    mode http
    option http-keep-alive
    default_backend homeproxy_backend

    # logging options

# Backend: homeproxy_backend (homeproxy_backend)
backend homeproxy_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server homeproxy-server homeproxy.example.com ssl sni str(homeproxy.example.com) verify required ca-file /tmp/haproxy/ssl/64838ae1e21fe5.61086700.calist

I'm stumped as to why HAproxy doesn't like client cert auth. Anyone have any suggestions?

Thanks!

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2